Comments: Is Security Compatible with Commerciality?

The "we all need to eat" argument implies fear that a honest approach to security will have you fired and someone else hired in your place. Those voicing such arguments are afraid, because there's nobody to stand up for them, and there are plenty to take their jobs, if they're out.
There are well-established means to combat such threats: guilds, trade associations, etc. Locksmiths have been among the first to form guilds in medieval Europe, and locksmith guilds are still alive and kicking in many parts of the world.
An information-security guild with a good (and strict) code of conduct, a well-functioning apprenticeship program, clear procedures for accepting and expelling members, would have the clout to enforce its principles and protect its members from NDAs contradicting them. After a while, it may even have enough lobbying power to affect legislation so to mandate good security where it is needed.
How about founding one?

Posted by Daniel A. Nagy at August 12, 2005 10:17 AM

Ha! Good response.

A guild would indeed add some sort of solution to this problem but it comes at a large cost - that of an agenda to ensure its own survival over any other interests.

Indeed, by some views, there is a guild: the Cryptography Guild has been accused variously of PKI, digsig laws, the "no-risk" crypto methodology and the ban against non-members doing crypto.

Posted by Iang at August 12, 2005 10:51 AM

Which "two open organisations in the browser field"? Don't be such a coy maiden...

Posted by OL at August 12, 2005 11:49 AM

Any stable organization's ultimate goal is its own survival. However, when organizing people to achieve a particular goal, one needs to pick the organizational form where the survival of the organization is most compatible with the goal. If the goal is high-quality security services, corporation is definitely not the best organizational structure, as you eloquently argue in your post.
A guild, with properly defined code of conduct and formalized procedures might come a lot closer, in my opinion. Sure, guilds have their costs and downsides, and guild-like behavior can cause a lot of damage, but I believe that it can be done right.
Also, as we know, cryptography!=security. Cryptography is just one class of security measures (and there are countless others). Information security is a lot more than cryptography. First and foremost it is about analyzing and modeling threats, to come up with useful ways of countering them, in my opinion. This is much easier said than done, and requires a lot of experience (some of it in the form of recorded past case studies).

Posted by Daniel A. Nagy at August 12, 2005 11:57 AM

I wrote critically about a browser manufacturer a month or two back, and they recently announced the creation of their commercial arm. I didn't know about it at the time but had been told on a few occasions that things were happening internally, secretly. It helps to explain their resistence to change from a model that was well accepted by the commercial players they had been negotiating with, even when shown to result in less security for their users.

The other organisation I'm looking at is a CA which is now following sort of the same path. It's working to get some sort of audit in place. But the audit process itself is (I claim) flawed in fundamental ways, and every time we get close to the flaws, the answer is "do you want to play with the big boys or don't you?"

Both these organisations have achieved good stuff - it serves no purpose to concentrate on them in particular as what is happening there is the same as that which happens in other places, and their presence on net improves security, in both senses of the word.

Posted by Iang at August 12, 2005 12:14 PM

Sure, I was just using crypto as an example because guilds had been discussed in the past.

OK, so what then would the Hallowed Guild of Financial Cryptographer's look like? How would we induct new members?

Posted by Iang at August 12, 2005 12:53 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x555e173001f0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.